New issue
Advanced search Search tips

Issue 596864 link

Starred by 0 users

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ASSERTION FAILED: !std::isnan(static_cast<double>(value))

Project Member Reported by ClusterFuzz, Mar 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6533042203525120

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::flooredIntPoint
  

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96GCeRVXOI9RTiKUO63Sqw6gJUew9tsYgSKciDSj9sghTATLYpOESw6x_blyn0RbbRXqICxXiUOS1F7jV1-xe_w_I0HEN93-ai_bbtPD89kb_j4ET97hIHfW2zri28Q9sVRd81krT5sD6TlzxPuqkjNgmw1Kg
<div>
<style>
* { perspective-origin: 6 -1246024361; transform: scale(18446744073709551400);


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: findit-wrong Te-Logged M-51
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: bokan@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ba05b7911b6c76eac70ba55263d8929a4962b236
Time: Thu Oct 23 20:05:30 2014
The CL last changed line 283 of file MathExtras.h, which is stack frame 0.

Author: pkasting@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cc186ed9f09844abb68dcae97604fbdb52344025
Time: Mon Oct 13 20:04:47 2014
The CL last changed line 261 of file FloatPoint.h, which is stack frame 1.

Author: allan.jensen@nokia.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7ede06709d25e115b6808b037b9e1ac3035109a7
Time: Thu Aug 09 12:20:30 2012
The CL last changed line 214 of file FloatRect.cpp, which is stack frame 2.

Author: chrishtr
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/19a84549ad0bec1308b768f96b2345d4431a8a30
Time: Tue Dec 15 19:07:24 2015
The CL last changed line 152 of file LayoutGeometryMap.cpp, which is stack frame 3.

Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/88719a882e81c1f008c8cbf89584a25769458a31
Time: Tue Jan 05 20:06:27 2016
The CL last changed line 58 of file LayoutGeometryMap.h, which is stack frame 4.

Author: chrishtr@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/84d9b3ba8691dc33dd55b9a4041324fab40b2a52
Time: Tue Aug 25 23:46:20 2015
The CL last changed line 116 of file CompositingInputsUpdater.cpp, which is stack frame 5.

Author: abarth@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dc46981faf924c3fbecf6aaffede85559364d3a9
Time: Tue Jun 24 20:03:35 2014
The CL last changed line 178 of file CompositingInputsUpdater.cpp, which is stack frame 6.

Suspected Component: chromium
------------------------------

Suspecting - https://chromium.googlesource.com/chromium/src//+/88719a882e81c1f008c8cbf89584a25769458a31 ?
@wangxianzhu:  Hey, would you mind checking the above issue and see if it's related to your change.

Feel free to re-assign to concern dev if that is not the case.

I really appreciate your help.

Thank you!
Labels: -Pri-1 Pri-2
Labels: Needs-Bisect
Owner: ----
Status: Available (was: Assigned)
My change just renamed some methods.
Labels: -Needs-Bisect
Removing the bisect label as there are no manual repro steps.

Feel free to add it back if there is any repro steps or test html file for the above issue.

Thank you!
Project Member

Comment 5 by ClusterFuzz, Jun 6 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4785752009605120

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::flooredIntPoint
  

Minimized Testcase (2.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95iAvONxkR-hIkgLq2XonWJdC5Jreyrzzgjg-1NteW-qlivic_t_gNcQiC3MXp7jMyqc4Ns8WtYmqJprqCw_YY2VRHioq3Te1YX4EQQpF6zNnbllnpJBdPtfLo0KHq9VG-l1GlQnzyUCR3b7D0kj7oPB1Q4bw

Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Cc: bokan@chromium.org chrishtr@chromium.org pkasting@chromium.org
ccing few dev of other suspecting revisions. Request you all to help us in assigning the above issue to concern owner.

Appreciate the help.

Thank you!
Owner: chrishtr@chromium.org
It's possible that https://codereview.chromium.org/1514243004/diff/20001/third_party/WebKit/Source/core/layout/LayoutGeometryMap.cpp could have caused this.
Project Member

Comment 8 by ClusterFuzz, Jun 8 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5318656854851584

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatCeil
  

Minimized Testcase (103.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_2sHdC60q-GY2WKaLj4O5ppelixZnjk8DApe7l3TNgoovh--osTTs3wRfyvhFrT62zbn382YRkym3JTcm26Pk17eIl9Ywr1KQEmLun1PX3n8OQ56IS6zTVu7f0UP993Hsa1PLGIykq1zuQojjLkJkVV0r774zYdRmF9QqmGzgwutq_tk

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Owner: f...@opera.com
The bug is that the paintInvalidationRectInLocalSVGCoordinates for a LayoutSVGRoot
in this case has infinite bounds. fs, on your backlog if that's ok.
Project Member

Comment 10 by ClusterFuzz, Jun 14 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5176528484958208

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::roundedIntPoint
  

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95nls9w7XLzM-IFtoxdDfjyPtqpHlT3DPx-HAEnuaf3MEAg9B9jF3FuN-GP0f4wj9SArpxwtTvwKT0lvTVwPrmC93SO529kLvr2_KRxtpsEhXxcal2Qi1nxqMmrexDsZ7lkR43uxdzTQ6YJeHm4TJPV9qYrrA
<div><iframe></iframe>
<style>
* { border-width-bottom: 99px; transform: rotatey(-90deg) rotatex(39deg);


Additional requirements: Requires HTTP

Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 11 by f...@opera.com, Jun 20 2016

Looks like this report needs to be de-duped a bit. The match-window for the stack is too small, so false dupes are produced.

Suggested grouping (for whoever can update those, I don't know how to):

https://cluster-fuzz.appspot.com/testcase?key=6533042203525120 (initial report for this issue)
https://cluster-fuzz.appspot.com/testcase?key=4785752009605120

(LayoutGeometryMap::absoluteRect)

https://cluster-fuzz.appspot.com/testcase?key=5318656854851584

(LayoutSVGRoot::localOverflowRectForPaintInvalidation)

https://cluster-fuzz.appspot.com/testcase?key=5176528484958208

(FrameView::convertToLayoutObject)
Project Member

Comment 12 by ClusterFuzz, Jul 14 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5581807366176768

Fuzzer: inferno_twister
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatFloor
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=300995:301031

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qjhrZ-gwwoXslJPNidPb5x-DW7vQWc-FnfHw0HO9PttWNgYcUDvRUrQPBmtb1jQucl07IV-0g4Rkn1-1VNaLzGf6zlfuKW4K-_zTsfsIoIFGyG3sXheDaOTVZ_dVf8OLjFAGGtf9RT7A0ZYBpGVWl9OGVKw?testcase_id=5581807366176768
<my-host3 style="text-justify: auto; white-space: pre; ">
 	fe*A	xDTMje @cb:ZOd;<style>* {
    letter-spacing: 170141183460469231731687303715884105727mm


Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 13 by ClusterFuzz, Sep 23 2016

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5318656854851584

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatCeil
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=297944:297984
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420372:420465

Minimized Testcase (103.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97_2sHdC60q-GY2WKaLj4O5ppelixZnjk8DApe7l3TNgoovh--osTTs3wRfyvhFrT62zbn382YRkym3JTcm26Pk17eIl9Ywr1KQEmLun1PX3n8OQ56IS6zTVu7f0UP993Hsa1PLGIykq1zuQojjLkJkVV0r774zYdRmF9QqmGzgwutq_tk?testcase_id=5318656854851584

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Sep 23 2016

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6533042203525120

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::flooredIntPoint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=300995:301031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420372:420465

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95kHYFTEaDy3WjL-sKd29-Hnu-bqMxVZO2Wy0kc-l5z_6-f3032KX4d3lzPGtJ6-tvtTi7LQnnvW8qgR7w4-mRZI7nU5E5wrC-bQVIAKqtJnDhblgGpshcEqQ1kJHXcZbEWyitIc2fA0VIeTZQPZNCQAFecQQ?testcase_id=6533042203525120
<div id=output</div>
<style>
* { perspective-origin: 6 -1246024361; transform: scale(18446744073709551400);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 15 by ClusterFuzz, Sep 23 2016

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5581807366176768

Fuzzer: inferno_twister
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::LayoutUnit::fromFloatFloor
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=300995:301031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=420372:420465

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qjhrZ-gwwoXslJPNidPb5x-DW7vQWc-FnfHw0HO9PttWNgYcUDvRUrQPBmtb1jQucl07IV-0g4Rkn1-1VNaLzGf6zlfuKW4K-_zTsfsIoIFGyG3sXheDaOTVZ_dVf8OLjFAGGtf9RT7A0ZYBpGVWl9OGVKw?testcase_id=5581807366176768
<my-host3 style="text-justify: auto; white-space: pre; ">
 	fe*A	xDTMje @cb:ZOd;<style>* {
    letter-spacing: 170141183460469231731687303715884105727mm


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by ClusterFuzz, Sep 23 2016

ClusterFuzz has detected this issue as fixed in range 402064:402065.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4785752009605120

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  int clampTo<int, float>
  blink::flooredIntPoint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=297944:297984
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402064:402065

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96t6N0dYsnAtMoH4qGmoinZUP_H2G4023PlUA_dAba7og7nRqdycz7Mr-SZr2zU6kxh5P5gfD3zAPQxOMcGOvN_eJze9_-p3Tx3gw668HE5BD576lr7WdzNakjmNg4rffvnqlQJ9jbgnKo1PtqZY7QMVuvJOg?testcase_id=4785752009605120
<table>
  <td>
   <table><td>
<style>
* { animation-name: cfpulse83; transform: matrix(31068, 23, 11, 124, 73, 65402);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Available)
ClusterFuzz testcase 5176528484958208 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment